none
Custom Binding Question RRS feed

  • Question

  • I am trying to do WCF custom binding and having dificulty doing this. I am hoping one of the experts can help me.

     

    I am trying to do a custom binding to provide a functionality that basicHttpBinding does not provide out of the box. I would like to do transport based security(UserName) over http(not https).

     

    Here is my config setting:

              <customBinding>
                <binding name="customBinding_IMyService">
                  <textMessageEncoding writeEncoding="utf-8" />
                  <security authenticationMode="UserNameOverTransport" />
                  <httpTransport/>
                </binding> 
              </customBinding>


    In my code I attach credential:

    client.ClientCredentials.UserName.UserName = theUserName;
    client.ClientCredentials.UserName.Password = thePassword;


    When I call the service method, I get this error:

    The 'CustomBinding'.'http://tempuri.org/' binding for the 'IMyService'.'http://tempuri.org/' contract is configured with an authentication mode that requires transport level integrity and confidentiality. However the transport cannot provide integrity and confidentiality.

     

    Can somebody look at my config setting and see what setting I am missing or set up wrong?

     

    Help is much appreciated.

     

    Thanks,
    Kim

    Saturday, April 5, 2008 5:12 PM

Answers

All replies

  • From the error the description, the problem is that this isnt really legal.  Http isnt a protocal that cant provide confidentiality so passing credentials like this is unsafe at the transport level.  Transport security requires a binding that can be confidential: http://blogs.msdn.com/drnick/archive/2006/04/28/basics-of-transport-security.aspx

    Saturday, April 5, 2008 7:01 PM
    Moderator
  • Just to confirm, does this mean it is not possible to use WCF custom bindings to pass username/password credentials using http? The client and the service are running inside our intranet environment.

     

    Thanks,

    Kim

    Sunday, April 6, 2008 5:25 AM
  • What Dan is (quite correctly) saying is that you cannot do transport level securty with a transport (like http) that cannot support it.  To do transport-level security with the http protocol, you'll need to use the https transport. 

     

    It is still possible to do security at a higher level (like message level) over http, see http://msdn2.microsoft.com/en-us/library/ms731058.aspx for an example.

    Monday, April 7, 2008 7:37 PM
  • Hi Mark,

     

    Unfortunately, I will calling a web service that does not support the new WS* standards, therefore I cannot use wsHttpBinding.

     

    What I need is BasicHttpBinding-like binding that allows username token(either by transport or by message) using http(not https).  I was hoping I could do this using custom binding.

     

    Thanks,

    Kim 

    • Proposed as answer by ptpavankumar Monday, April 19, 2010 1:40 AM
    Tuesday, April 8, 2008 1:35 AM
  • I suppose you can do so by customBinding provided you assert that Https security is applied.

    This can be done by creating  customHttpTransportBinding which inherits from HttpTransportBinding.

    class CustomHttpTransportElement : HttpTransportElement
        {
            public override void ApplyConfiguration(System.ServiceModel.Channels.BindingElement bindingElement)
            {
                base.ApplyConfiguration(bindingElement);
            }

            public override Type BindingElementType
            {
                get
                {
                    return typeof(CustomHttpTransportBindingElement);
                }
            }

            protected override System.ServiceModel.Channels.BindingElement CreateBindingElement()
            {
                return base.CreateBindingElement();
            }

            protected override System.ServiceModel.Channels.TransportBindingElement CreateDefaultBindingElement()
            {
                return new CustomHttpTransportBindingElement();
            }
        }

     

    and

     

    public class CustomHttpTransportBindingElement : HttpTransportBindingElement, ITransportTokenAssertionProvider
            {
                public CustomHttpTransportBindingElement()
                {
                }

                public CustomHttpTransportBindingElement(CustomHttpTransportBindingElement elementToBeCloned)
                    : base(elementToBeCloned)
                {
                }

                public override BindingElement Clone()
                {
                    return new CustomHttpTransportBindingElement(this);
                }

                public override T GetProperty<T>(BindingContext context)
                {
                    if (typeof(T) == typeof(ISecurityCapabilities))
                    {
                        return (T)(object)new CustomSecurityCapabilities();
                    }
                    return base.GetProperty<T>(context);
                }

                public override IChannelFactory<TChannel> BuildChannelFactory<TChannel>(BindingContext context)
                {
                    return base.BuildChannelFactory<TChannel>(context);
                }

                #region ITransportTokenAssertionProvider Members

                public System.Xml.XmlElement GetTransportTokenAssertion()
                {
                    return null;
                }

                #endregion
            }

     

    and finally

    public class CustomSecurityCapabilities: ISecurityCapabilities
        {

            #region ISecurityCapabilities Members

            public ProtectionLevel SupportedRequestProtectionLevel
            {
                get { return ProtectionLevel.EncryptAndSign;  }
            }

            public ProtectionLevel SupportedResponseProtectionLevel
            {
                get { return ProtectionLevel.EncryptAndSign;  }
            }

            public bool SupportsClientAuthentication
            {
                get { return false; }
            }

            public bool SupportsClientWindowsIdentity
            {
                get { return false; }
            }

            public bool SupportsServerAuthentication
            {
                get { return true; }
            }

            #endregion
        }

    I have got this solution from sites

    http://www.devproconnections.com/content.aspx?topic=custom-bindings-part-i&catpath=microsoft-net-framework

    and

    http://www.windowsitpro.com/article/net-framework2/custom-bindings-part-ii.aspx

    Let me know if u have solved your issues.

     

     


    Pavan Kumar Puttaparthi Tirumala Software Engineer Console Australia Pty Ltd
    • Proposed as answer by Binh Truong Thursday, August 12, 2010 6:55 AM
    Monday, April 19, 2010 1:46 AM
  • The solution works great, ptpavankumar.

    Thanks.

    Thursday, August 12, 2010 6:55 AM
  • Glad my compilation was of some help for you...
    Pavan Kumar Puttaparthi Tirumala Software Engineer Console Australia Pty Ltd
    Thursday, August 12, 2010 7:12 AM
  • I have a suggestion that could work nicely too.

    This guy suggests an http digest authentication that substitutes the IIS authentication system.

    http://www.rassoc.com/gregr/weblog/2002/07/09/web-services-security-http-digest-authentication-without-active-directory/

    It works great with usual Asp.NET applications and old style Web Services, but to be able to use it with WCF it was not very easy to find out.

    The WCF authentication system is separated from IIS authentication.

    After a hole week looking for the solution I found the trick. I posted it at the page.

    It is just great because you don't need certificates or SSL, but the authentication data is not transmitted in clear format.

    Thursday, October 20, 2011 6:39 AM
  • With .net framework 3.5 sp1 and 4.0 you do not need to do fake security capabilities.

    You can use new properties like allowInsecureTransport=True in the custom binding. I faced the same issue and put up this post to explain it.

    http://www.suneet.net/FrmBlogViewer.aspx?blogid=65

     

    HTH


    MCTS BTS 2006
    Tuesday, January 3, 2012 2:55 PM